fix: Rename enable_auth -> enable_entra_id_authentication

infrastructure/modules/container-app-job/README.md

@@ -55,11 +55,11 @@ The container app job can be mapped to Azure Key Vaults for secret management:
   - Secret names in Key Vault must use hyphens (e.g., `SECRET-KEY`). These are mapped to environment variables with underscores (e.g., `SECRET_KEY`).
   - Secrets are updated when Terraform runs, or automatically within 30 minutes.
 
-**Warning:** The module cannot read from a key vault if it doesn't exist yet. Recommended workflow:
+**Warning:** The module cannot read from the app key vault if it doesn't exist yet. Recommended workflow:
 1. Create the key vault(s) using the [key-vault module](../key-vault/).
-2. Deploy the container app with `fetch_secrets_from_app_key_vault = false` (default) and/or `enable_auth = false`.
+2. Deploy the container app with `fetch_secrets_from_app_key_vault = false` (default).
 3. Manually add the required secrets to the key vault(s).
-4. Set `fetch_secrets_from_app_key_vault = true` and/or `enable_auth = true`, then re-run Terraform to populate the app with secret environment variables and enable authentication.
+4. Set `fetch_secrets_from_app_key_vault = true`, then re-run Terraform to populate the app with secret environment variables and enable authentication.
 
 Example (app secrets):
 ```hcl

infrastructure/modules/container-app/README.md

@@ -54,15 +54,15 @@ The container app can be mapped to Azure Key Vaults for secret management:
   - Secrets are updated when Terraform runs, or automatically within 30 minutes.
 
 - **Infra Key Vault:**
-  - When authentication is enabled (`enable_auth = true`), secrets are fetched from the infra key vault using the list in `infra_secret_names` (default: `aad-client-id`, `aad-client-secret`, `aad-client-audiences`).
+  - When authentication is enabled (`enable_entra_id_authentication = true`), secrets are fetched from the infra key vault using the list in `infra_secret_names` (default: `aad-client-id`, `aad-client-secret`, `aad-client-audiences`).
   - You can override `infra_secret_names` to fetch additional or custom secrets as needed.
   - The infra key vault must exist and be populated with the required secrets before enabling authentication.
 
-**Warning:** The module cannot read from a key vault if it doesn't exist yet. Recommended workflow:
+**Warning:** The module cannot read from the app key vault if it doesn't exist yet. Recommended workflow:
 1. Create the key vault(s) using the [key-vault module](../key-vault/).
-2. Deploy the container app with `fetch_secrets_from_app_key_vault = false` (default) and/or `enable_auth = false`.
+2. Deploy the container app with `fetch_secrets_from_app_key_vault = false` (default).
 3. Manually add the required secrets to the key vault(s).
-4. Set `fetch_secrets_from_app_key_vault = true` and/or `enable_auth = true`, then re-run Terraform to populate the app with secret environment variables and enable authentication.
+4. Set `fetch_secrets_from_app_key_vault = true`, then re-run Terraform to populate the app with secret environment variables and enable authentication.
 
 Example (app secrets):
 ```hcl
@@ -78,7 +78,7 @@ Example (infra secrets for authentication):
 ```hcl
 module "container-app" {
   ...
-  enable_auth           = true
+  enable_entra_id_authentication           = true
   infra_key_vault_name  = "my-infra-kv"
   infra_key_vault_rg    = "my-infra-rg"
   infra_secret_names    = ["aad-client-id", "aad-client-secret", "aad-client-audiences"] # can be customized
@@ -90,7 +90,7 @@ module "container-app" {
 ## Authentication
 
 To enable Azure AD authentication:
-- Set `enable_auth = true`.
+- Set `enable_entra_id_authentication = true`.
 - Provide the infra key vault details (`infra_key_vault_name`, `infra_key_vault_rg`).
 - Ensure the infra key vault contains the required secrets listed in `infra_secret_names` (default: `aad-client-id`, `aad-client-secret`, `aad-client-audiences`).
 - You may customize `infra_secret_names` to fetch additional secrets if needed.
@@ -99,7 +99,7 @@ Example:
 ```hcl
 module "container-app" {
   ...
-  enable_auth           = true
+  enable_entra_id_authentication           = true
   infra_key_vault_name  = "my-infra-kv"
   infra_key_vault_rg    = "my-infra-rg"
   infra_secret_names    = ["aad-client-id", "aad-client-secret", "aad-client-audiences"]

infrastructure/modules/container-app/data.tf

@@ -8,13 +8,13 @@ data "azurerm_key_vault_secrets" "app" {
 
 data "azurerm_key_vault" "infra" {
   provider            = azurerm.hub
-  count               = var.enable_auth ? 1 : 0
+  count               = var.enable_entra_id_authentication ? 1 : 0
   name                = var.infra_key_vault_name
   resource_group_name = var.infra_key_vault_rg
 }
 
 data "azurerm_key_vault_secret" "infra" {
-  for_each     = var.enable_auth ? toset(var.infra_secret_names) : toset([])
+  for_each     = var.enable_entra_id_authentication ? toset(var.infra_secret_names) : toset([])
   name         = each.value
   key_vault_id = data.azurerm_key_vault.infra[0].id
 }

infrastructure/modules/container-app/main.tf

@@ -17,7 +17,7 @@ module "key_vault_reader_role_app" {
 }
 
 module "key_vault_reader_role_infra" {
-  count = var.enable_auth ? 1 : 0
+  count = var.enable_entra_id_authentication ? 1 : 0
 
   source = "../rbac-assignment"
 
@@ -50,7 +50,7 @@ resource "azurerm_container_app" "main" {
   dynamic "secret" {
 
     for_each = concat(var.fetch_secrets_from_app_key_vault ? data.azurerm_key_vault_secrets.app[0].secrets : [],
-    var.enable_auth ? [for s in data.azurerm_key_vault_secret.infra : { name = s.name, id = s.id }] : [])
+    var.enable_entra_id_authentication ? [for s in data.azurerm_key_vault_secret.infra : { name = s.name, id = s.id }] : [])
 
     content {
       # KV secrets are uppercase and hyphen separated
@@ -153,7 +153,7 @@ resource "azurerm_container_app" "main" {
 ## - aad-client-secret
 ## - aad-client-audiences
 resource "azapi_resource" "auth" {
-  count     = var.enable_auth ? 1 : 0
+  count     = var.enable_entra_id_authentication ? 1 : 0
   type      = "Microsoft.App/containerApps/authConfigs@2025-01-01"
   name      = "current"
   parent_id = azurerm_container_app.main.id

infrastructure/modules/container-app/tfdocs.md

@@ -96,9 +96,9 @@ Type: `bool`
 
 Default: `false`
 
-### <a name="input_enable_auth"></a> [enable\_auth](#input\_enable\_auth)
+### <a name="input_enable_entra_id_authentication"></a> [enable\_entra\_id\_authentication](#input\_enable\_entra\_id\_authentication)
 
-Description: Enable authentication for the container app. If true, the app will use Azure AD authentication.
+Description: Enable authentication for the container app. If true, the app will use Entra ID authentication to restrict web access.
 
 Type: `bool`
 

infrastructure/modules/container-app/variables.tf

@@ -112,8 +112,8 @@ variable "workload_profile_name" {
   nullable    = false
 }
 
-variable "enable_auth" {
-  description = "Enable authentication for the container app. If true, the app will use Azure AD authentication."
+variable "enable_entra_id_authentication" {
+  description = "Enable authentication for the container app. If true, the app will use Entra ID authentication to restrict web access."
   type        = bool
   default     = false
 }